Analyzing the auditing data

 

You can analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.

The following example shows an Intrusion Monitor (IM) audit record entry with information about an intrusion event for a restricted Internet Protocol (IP). 
             Display Journal Entry 
Object . . . . . . .:           Library  . . . . . .: Member . . . . . . .: Incomplete data  . .:   No      Minimized entry data: *NONE Sequence . . . . . .:   5 Code . . . . . . . .:   T  - Audit trail entry Type . . . . . . . .:   IM - Intrusion detection monitor 
            Entry specific data Column    *...+....1....+....2....+....3....+4....+....5.
00001    'P2005-06-06-15.01.32.6482729999 000009.10.11.0    ' 00051    '                                  000009.10.11.255' 00101    '                         ,         ATTACK    RESTPROT'

The following table shows the layout of the IM audit record. Use the information in this table to analyze and interpret the IM audit record.

Table 1. Layout of the IM audit record
Field Type Format Description Sample Entry
Entry type Char(1) The potential intrusion event detected. P
Time of event TIMESTAMP The timestamp of when the event was detected. 2005-06-06-15.01.32.648272
Detection point identifier Char(4) The unique identifier for the processing location that detected the intrusion event. This field is for use by service personnel. 9999
Local address family Char(1) The local IP address family associated with the detected event. This field is hidden and appears blank. Press F11 (Display hexadecimal information).
Local port number Zoned(5,0) The local port number associated with the detected event. (A value of 00000 represents an intrusion on any port because there is no port 0.) 00000
Local IP address Char(46) The local IP address associated with the detected event. 9.10.11.0
Remote address family Char(1) The remote address family associated with the detected event. This field is hidden and appears blank. Press F11 (Display hexadecimal information).
Remote port number Zoned(5,0) The remote port number associated with the detected event. 00000
Remote IP address Char(46) The remote IP address associated with the detected event. 9.10.11.255
Probe type identifier Char(6) The type of probe used to detect the potential intrusion. Possible values include:

ATTACK

Attack action event

TR

Traffic regulation trace action event

SCANG

Scan global action event

SCANE

Scan event action event
ATTACK
Event correlator Char(4) The unique identifier for this specific intrusion event. You can use this identifier to correlate this audit record with other intrusion detection information. This field is hidden and appears blank. Press F11 (Display hexadecimal information).
Event type Char(8) The type of potential intrusion that was detected. The possible values include:

MALFPKT

Malformed packet

FLOOD

Flood event

ICMPRED

Internet Control Message Protocol (ICMP) redirect

PERPECH

Perpetual echo

IPFRAG

IP fragment

RESTPROT

Restricted internet protocol (IP)
RESTPROT
Suspected packet Char(1002) The variable-length, binary field that might contain up to the first 1000 bytes of the IP packet that is associated with the detected event. The first 2 bytes of this field contain the length of the suspected packet information. This field is hidden and appears blank. Press F11 (Display hexadecimal information).

  • Scan events
    The intrusion detection system detects scans to individual ports.

  • Attack events
    The intrusion detection system detects different types of attack events and writes an Intrusion Monitor (IM) audit record in the QAUDJRN audit journal.

 

Parent topic:

Intrusion detection
Related tasks
Auditing intrusion detection activities